- What are data brokers?
- How do data brokers obtain information?
- What types of information do data brokers collect?
- What are the different types of data brokers?
- Who uses data broker information?
- How accurate is data broker information?
- Do any laws regulate data brokers?
- Do individuals have any rights to see, correct, or opt-out of the information that data brokers have compiled?
1. What are data brokers?
Data brokers collect and aggregate consumer information from a wide range of sources to create detailed profiles of individuals. Generally, they do not obtain this information directly from consumers. Data brokers then sell or share your personal information with others, including businesses, government agencies, other individuals, and other data brokers. In some cases, they might exchange this information under a cooperative arrangement rather than sell it. In other instances, they might provide the information at no cost, making money through advertising or referrals.
The Federal Trade Commission (FTC) has defined data brokers as “companies that collect information, including personal information about consumers, from a wide variety of sources for the purpose of reselling such information to their customers for various purposes, including verifying an individual’s identity, differentiating records, marketing products, and preventing financial fraud.” Protecting Consumer Privacy in an Era of Rapid Change at page 68.
Data brokers may obtain information from a large number of sources including:
- Government and public records such as court filings, real property and tax assessor records; court filings, recorded liens and mortgages, driver’s license records, motor vehicle records, voter registrations, telephone directories, real estate listings, birth, marriage, divorce and death records, professional license filings, hunting and fishing licenses, and Census demographic information. Some states may restrict disclosure of some of this information.
- Self-reported information directly from consumers through warranty cards, sweepstakes entries, contests, and surveys. This information may be provided by consumers either online or offline.
- Social media sites such as Facebook, LinkedIn, and others may be used to gather information including consumers’ names, age, gender, location, colleges and universities attended.
- Cooperative arrangements through which companies provide information about their customers in exchange for information to enhance their existing customer lists or identify new customers.
- Purchase or licensing of information from other data brokers, retailers, and financial institutions. This may include consumers’ online activities from advertising networks, data about purchases from retailers, catalog companies and magazines, and data from websites where consumers register or log in to obtain services, such as retail, news, and travel sites.
Data brokers collect a wide range of personal information about consumers. Much of this information is demographic in nature, and may include consumer names, their addresses (and previous addresses), telephone numbers, e-mail addresses, age and gender, family status (marital status and number and ages of children), Social Security numbers, religion, data about real estate owned, political affiliation, estimated income level, educational level, and occupation.
Some data brokers collect lists of people experiencing life event triggers such as getting married, having a baby, moving, buying a home, or getting divorced.
Other data brokers collect more specialized types of information including purchasing history (including automobiles owned), social media history, hobbies and interests, medical conditions, and payment methods used (credit cards and debit cards). The Illustrative List of Data Elements and Segments (Appendix B) in the FTC’s report Data Brokers: A Call for Transparency and Accountability demonstrates the breadth of information collected by data brokers.
The FTC divides the data broker industry into three broad categories based upon the type of product that they sell: (1) marketing products, (2) risk mitigation products, and (3) people search products.
- Data brokers that sell marketing products enable their clients to create tailored marketing messages to consumers. The FTC has grouped these marketing products into direct marketing, including direct mail, telemarketing, and email marketing; online marketing, including marketing to consumers via the Internet, on mobile devices, and through cable and satellite television; and (3) marketing analytics, which attempts to predict consumers’ likely behavior.
- Risk mitigation products fall into two categories: identity verification and fraud detection. Identity verification products assist clients, such as banks in confirming the identity of an individual. Fraud detection products assist clients, such as government agencies, in verifying the reliability or truthfulness of information a person submits to them.
- People search products provide personal information about individuals. Unlike marketing and risk mitigation products, they are generally intended for use by individual consumers, although they can also be used by organizations, law enforcement agencies, private investigators, and the media. Consumers may use people search products to find lost friends or to “snoop” on individuals. These products are sometimes used to facilitate stalking or for other nefarious purposes. People search products may obtain information about consumers from government and other publicly available sources, such as social networks and telephone directories.
People search products generally provide their services online. The data brokers that offer these products are sometimes referred to as online information brokers or online data vendors. PRC maintains an extensive Data Broker List of almost 300 online people search products. While consumers generally do not have a legal right to prevent data brokers from publishing their personal information, our Data Broker List explains how to “opt out” from those data brokers that offer that option.
You can learn much more about the types of products offered by data brokers by reading Section IV of the FTC’s report Data Brokers: A Call for Transparency and Accountability.
Data brokers sell the consumer data that they have compiled to a wide range of customers. These customers may include financial institutions, insurance companies, the hospitality industry, cable and telecommunications companies, political campaigns, retail stores, and even government entities and law enforcement agencies. In addition, many data brokers sell or exchange information with other data brokers.
As an example, the data broker Acxiom’s customers include “47 Fortune 100 clients; 12 of the top 15 credit card issuers; seven of the top 10 retail banks; eight of the top 10 telecom/media companies; seven of the top 10 retailers; 11 of the top 14 automotive manufacturers; six of the top 10 brokerage firms; three of the top 10 pharmaceutical manufacturers; five of the top 10 life/health insurance providers; nine of the top 10 property and casualty insurers; eight of the top 10 lodging companies; two of the top three gaming companies; three of the top five domestic airlines; six of the top 10 U.S. hotels.” U.S. Senate Commerce Committee, A Review of the Data Broker Industry: Collection, Use, and Sale of Consumer Data for Marketing Purposes (“Rockefeller Report”).
The accuracy of data broker products may vary significantly, depending upon the quality control procedures of the specific data broker. Accuracy is also somewhat dependent upon the type of data broker product and the data broker’s business model.
- Data brokers providing marketing products tend to rely upon the reputation of their sources. However, depending upon their data matching practices, they may not always accurately match the data to the appropriate person. Some may take additional steps to assure that information is accurate and up-to-date and attempt to reconcile conflicting information.
- Data brokers that provide risk mitigation products take steps to assess whether their sources are providing reliable information. Data brokers providing fraud detection products generally do not alter the data they obtain. They tend to retain historical data in order to spot trends potentially associated with fraud. Thus, while some data used in fraud detection products may not be current or accurate, that data may nevertheless be relevant for purposes of detecting possible fraud. In contrast, for identity verification products, associating the correct identifying information with the proper individual is critical.
- Data brokers providing people search products generally do not assess their sources for accuracy. While they may take steps to match the data they receive to the appropriate individual, they generally leave it to users to determine which results, if any, match the person they are seeking.
Additional information about the accuracy of data broker products may be found in Section V of the FTC’s report Data Brokers: A Call for Transparency and Accountability).
According to the FTC, there are no current federal laws requiring data brokers to maintain the privacy of consumer data unless they use that data for credit, employment, insurance, housing, or other similar purposes. Consumers generally have no federal right to know what information data brokers have compiled about them for marketing purposes. No federal law provides consumers with the right to correct inaccuracies in the data or assumptions made by data brokers.
The Fair Credit Reporting Act (FCRA) imposes a number of obligations on consumer reporting agencies (CRAs), which are entities that assemble consumer information into consumer reports (credit reports). The FCRA applies to data brokers only if the data is used by issuers of credit or insurance, or by employers, landlords, and others in making eligibility decisions affecting consumers. It’s important to note that most data brokers are not CRAs and thus are not subject to the FCRA. You can learn more about the FCRA by reading PRC’s guide Credit Reporting Basics: How Private Is My Credit Report?
Vermont's landmark "first in the nation" data broker law became effective on May 22, 2018. Under this law, data brokers must register with the Vermont Secretary of State, provide greater transparency about information collected about consumers, and maintain appropriate information security systems. Data brokers also are prohibited from acquiring or using personal information for stalking, committing fraud or engaging in discrimination.
Currently, no federal law provides consumers with the right to learn what information data brokers have compiled about them. Likewise, consumers do not have a right to “opt out”, that is, to prevent data brokers from collecting, sharing, or publishing their personal information. Consumers also do not have the right to require data brokers to correct or delete inaccurate, incomplete, or unverifiable information.
However, the FCRA imposes a number of obligations on consumer reporting agencies (CRAs), which are entities that assemble consumer information into consumer reports (credit reports). If a data broker engages in activity the causes it to become a CRA, then consumers gain a number of rights under federal law.
- Consumers have the right to access their “file”, that is to say, the data that a CRA maintains about them.
- Consumers also have the right to correct errors in their file.
- Finally, consumers can opt out of certain marketing uses of their information.
It’s important to note that most data brokers are not CRAs and thus are not subject to the FCRA. You can learn more about your rights under FCRA by reading PRC’s guide Credit Reporting Basics: How Private Is My Credit Report?
Two California laws offer certain individuals limited protection from having their personal information posted online by data brokers.
- Victims of domestic violence, stalking or sexual assault registered with the Safe at Home program can submit to an Internet company an opt-out form that prevents the company from posting the his or her personal information online.
- Designated California public safety, elected or appointed officials have the right under California Government Code section 6254.21 to have their home addresses and telephone numbers removed from the Internet. This form can be used to communicate with data brokers.
These resources provide an overview of the data broker industry:
U.S. Senate Commerce Committee, A Review of the Data Broker Industry: Collection, Use, and Sale of Consumer Data for Marketing Purposes (December 2013) (“Rockefeller Report”)
U.S. Government Accountability Office, Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace (September 2013) (“GAO Report”)
Federal Trade Commission, Data Brokers: A Call for Transparency and Accountability (May 2014)
Everything We Know About What Data Brokers Know About You (ProPublica, September 13, 2013)
Corporate Surveillance in Everyday Life (Institute for Critical Digital Culture, June 2017)
World Privacy Forum, Data Broker Page
Privacy Rights Clearinghouse, List of Criminal Data Broker Websites
Privacy Rights Clearinghouse, List of Data Broker Websites